Professional Documents
Culture Documents
Thought Process: This blog was meant to inform potential clients about new
NIST guidelines and how they might affect them. I interviewed our Sr. Security
Engineer and Chief Information Security Officer to find key issues and
recommendations that could be easily digested and understood.
Article:
The National Institute of Standards and Technology (NIST) has issued a final
update of its guidance to organizations assessing their internal security IT
systems.
The NIST “Assessing Security and Privacy Controls in Information Systems and
Organizations” document advocates an assessment and procedures
approach that provides guidelines on areas of the compute and network
infrastructure to examine to discern security issues.
This need for completeness shows up in the asset inventory – the list of
devices and systems that make up a company’s threat landscape. This has
always been a foundation of establishing strong cybersecurity response and
needs to be done comprehensively to be effective. Companies without a firm
grasp of the assets at their disposal could face foundational gaps in their
security configuration and infrastructure.
Trust- and risk-based concerns about third-party monitoring are real, and
are an issue that TorchLight continues to work on with its clients. Still, sharing
the responsibility and duties of implementing the NIST guidelines with a
security partner can help companies pursue the highest quality of security
infrastructure.
For Monte Carlo, a similar industry specific article might give examples of lost
revenue due to data downtime and why that matters.
Article:
For financial institutions, strong cyber defenses are essential. Simply following
safety regulations, however, doesn’t mean institutions like banks, insurance, or
investment firms are immune from attacks. For many years, financial
institutions have been prime targets for cyber attacks (and especially
ransomware attacks). Get ahead of attackers and protect valuable assets
from impending ransomware attacks. Here are a few things that financial
institutions should know about ransomware – its current trends, targets, and
tactics.
The potential for a high payout makes financial institutions prime targets for
ransomware attacks. The disproportionate number of attacks on financial
institutions rose even higher in 2021 – potentially due to the perceived
decrease in security with so much of the corporate workforce still working
from home. As a result, President Biden has made preventing cyber threats a
main feature of his presidential agenda.
In March of 2021, the U.S. Insurance Firm CNA fell victim to a ransomware
attack that disrupted the firm’s employee and customer service. It impacted
corporate email and the systems and functionality of CNA’s website, leading
the insurance firm to pay the hackers $40 million to regain control. The
ransomware attack exposed the personal information (including names and
social security numbers) of thousands of employees, contractors, and
policyholders. It has prompted financial institutions and enterprises alike to
ensure that they have top-level protection not only for regulated customer
data, but also for employee data and internal systems.
Article:
With the shift to remote work, the zero trust model became more widely
adopted across the cybersecurity landscape. Sensitive business resources
that were once solely offered in the office were now offered at home, altering
protection protocols. Zero trust strategies went from optional to critical
because of the control issues with a distributed workforce. A personal
network or coffee spot Wi-Fi could turn into the entry point for a malicious
actor infiltrating your organization’s networks through employee devices. As
workforce strategies are changing, more companies are realizing how
essential zero trust strategies are for their cybersecurity hygiene.
Zero trust allows your business to operate safely both within and outside of
your business’ secure network. Through zero trust, employees can receive
access to only the secure files and data they need to complete their work–
without compromising systems if there is a breach. Zero trust protects your
business with a continuous verification process, requiring employees to re-
obtain access at every entry point. Instead of using a standard password
protection, zero trust uses a combination of these three strategies to ensure
greater protection and privacy:
Zero trust helps secure all the endpoints and permissions with an additional
layer of verification, reducing the risk of both outside and internal threats to
your organization. Zero trust exemplifies a least privilege model where
employees only have access to what they need, eliminating the internal
threat of an employee harming the system. As remote work remains common
and gains popularity, organizations like yours should adopt zero trust
strategies to securely protect your business from possible internal and
external threats.
Conclusion